Honestly, I don't really know what kind of price is standard (or even the amount of time a audit would take). Can you give me a ballpark number?

Off the top of my head (which is likely to be way off), I was expecting something between $1000 - $3000

Oh, OK. The number I was looking for something close to had a couple more zeros on the end of it, I'm afraid. A decent code audit will take about a quarter of the time it took to write the code and its accompanying tests, and is an extremely specialised job. I'm not sure I can recommend anything in that sort of price range.

What is it you're actually wanting audited, and what is at stake if it turns out to be broken?

I was imagining presenting our security model to someone (or a team), having them ask questions, and then do some analysis of our systems to make sure we've implemented the model correctly (and don't have other gaping holes). Although a full audit of the code would be much more complete and secure, I was looking for a slightly different risk/cost tradeoff.

Generally, this sort of thing isn't worthwhile unless the liabilities you're exposed to by being broken are in excess of about $10M. Anything less than that, and it's a job for a butch insurance policy.

If you're reasonably confident that you've got a decent security model, and you've coded it defensively you're probably OK. I wouldn't stress about it too much at this point.

We're certainly under $10M in liability, we're confident in our model, and we're seeking less formal (but free) feedback from friends and peers on it, so I think you're right - we just won't stress about it too much right now.

Thanks a lot for the advice. I really appreciate it.